@enbox/auth 0.6.31 → 0.6.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/esm/auth-manager.js +78 -43
- package/dist/esm/auth-manager.js.map +1 -1
- package/dist/esm/connect/lifecycle.js +29 -31
- package/dist/esm/connect/lifecycle.js.map +1 -1
- package/dist/esm/connect/restore.js +3 -2
- package/dist/esm/connect/restore.js.map +1 -1
- package/dist/esm/connect/wallet.js +10 -2
- package/dist/esm/connect/wallet.js.map +1 -1
- package/dist/esm/identity-session.js +11 -23
- package/dist/esm/identity-session.js.map +1 -1
- package/dist/esm/password-provider.js.map +1 -1
- package/dist/esm/types.js.map +1 -1
- package/dist/esm/wallet-connect-client.js +12 -10
- package/dist/esm/wallet-connect-client.js.map +1 -1
- package/dist/types/auth-manager.d.ts +36 -12
- package/dist/types/auth-manager.d.ts.map +1 -1
- package/dist/types/connect/lifecycle.d.ts +16 -2
- package/dist/types/connect/lifecycle.d.ts.map +1 -1
- package/dist/types/connect/restore.d.ts.map +1 -1
- package/dist/types/connect/wallet.d.ts.map +1 -1
- package/dist/types/identity-session.d.ts +11 -42
- package/dist/types/identity-session.d.ts.map +1 -1
- package/dist/types/password-provider.d.ts +25 -9
- package/dist/types/password-provider.d.ts.map +1 -1
- package/dist/types/types.d.ts +18 -13
- package/dist/types/types.d.ts.map +1 -1
- package/dist/types/wallet-connect-client.d.ts.map +1 -1
- package/package.json +11 -7
- package/src/auth-manager.ts +98 -57
- package/src/connect/lifecycle.ts +58 -36
- package/src/connect/restore.ts +15 -5
- package/src/connect/wallet.ts +11 -3
- package/src/identity-session.ts +11 -55
- package/src/password-provider.ts +27 -11
- package/src/types.ts +19 -15
- package/src/wallet-connect-client.ts +13 -11
package/dist/types/types.d.ts
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* Public types for the authentication and identity management SDK.
|
|
4
4
|
*/
|
|
5
5
|
import type { PortableDid } from '@enbox/dids';
|
|
6
|
-
import type { ConnectPermissionRequest, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, DwnProtocolDefinition, EnboxUserAgent, HdIdentityVault, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
|
|
6
|
+
import type { AgentSessionIdentity, ConnectPermissionRequest, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, DwnProtocolDefinition, EnboxUserAgent, HdIdentityVault, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
|
|
7
7
|
import type { PasswordProvider } from './password-provider.js';
|
|
8
8
|
export type { ConnectPermissionRequest, DelegateContextKey, DelegateDecryptionKey, HdIdentityVault, IdentityVaultBackup, LocalDwnStrategy, PortableIdentity } from '@enbox/agent';
|
|
9
9
|
export type { EnboxUserAgent } from '@enbox/agent';
|
|
@@ -58,18 +58,15 @@ export interface AuthEventMap {
|
|
|
58
58
|
}
|
|
59
59
|
/** A type-safe event handler for a specific event. */
|
|
60
60
|
export type AuthEventHandler<E extends AuthEvent = AuthEvent> = (payload: AuthEventMap[E]) => void;
|
|
61
|
-
/**
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
*/
|
|
71
|
-
connectedDid?: string;
|
|
72
|
-
}
|
|
61
|
+
/**
|
|
62
|
+
* Lightweight metadata about a stored identity.
|
|
63
|
+
*
|
|
64
|
+
* @deprecated Prefer {@link AgentSessionIdentity} from `@enbox/agent` — this
|
|
65
|
+
* alias exists for `@enbox/auth`'s self-contained public surface but the
|
|
66
|
+
* canonical name lives in the agent package. The two are structurally
|
|
67
|
+
* identical; new code should import `AgentSessionIdentity` directly.
|
|
68
|
+
*/
|
|
69
|
+
export type IdentityInfo = AgentSessionIdentity;
|
|
73
70
|
/** Serializable session info for the `session-start` event. */
|
|
74
71
|
export interface AuthSessionInfo {
|
|
75
72
|
did: string;
|
|
@@ -426,6 +423,14 @@ export interface HandlerConnectOptions {
|
|
|
426
423
|
* on `AuthManager.create()`.
|
|
427
424
|
*/
|
|
428
425
|
connectHandler?: ConnectHandler;
|
|
426
|
+
/**
|
|
427
|
+
* Vault password for this call (overrides the manager default).
|
|
428
|
+
*
|
|
429
|
+
* The handler flow still needs to unlock the local agent's vault to receive
|
|
430
|
+
* delegated grants — passing `password` per-call lets callers override the
|
|
431
|
+
* default supplied to `AuthManager.create()`.
|
|
432
|
+
*/
|
|
433
|
+
password?: string;
|
|
429
434
|
/** Override manager default sync interval. */
|
|
430
435
|
sync?: SyncOption;
|
|
431
436
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAE7P,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,YAAY,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGlL,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD;;;;;;;GAOG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;AAI/D;;;;;;;;;GASG;AACH,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,QAAQ,GACR,UAAU,GACV,WAAW,CAAC;AAIhB,mDAAmD;AACnD,MAAM,MAAM,SAAS,GACjB,cAAc,GACd,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,kBAAkB,GAClB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,uBAAuB,CAAC;AAE5B,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE;QAAE,QAAQ,EAAE,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,CAAA;KAAE,CAAC;IAC5D,eAAe,EAAE;QAAE,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAC9C,aAAa,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,gBAAgB,EAAE;QAAE,QAAQ,EAAE,YAAY,CAAA;KAAE,CAAC;IAC7C,kBAAkB,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACtC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACxC,mEAAmE;IACnE,qBAAqB,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,6GAA6G;IAC7G,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAChD;AAED,sDAAsD;AACtD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,IAC1D,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;AAIrC;;;;;;;GAOG;AACH,MAAM,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAEhD,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAID,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,+EAA+E;IAC/E,YAAY,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,KAAK,EAAE,MAAM,CAAC;CACf;AAED,yEAAyE;AACzE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4DAA4D;AAC5D,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IAEtB,8CAA8C;IAC9C,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IAEpC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAErF;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IAE3D;;;;;;;;;;OAUG;IACH,oBAAoB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC;IAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAID;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,yDAAyD;IACzD,mBAAmB,EAAE,WAAW,CAAC;IAEjC,qDAAqD;IACrD,cAAc,EAAE,iCAAiC,EAAE,CAAC;IAEpD,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IAErB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IAEjD;;;OAGG;IACH,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAE3C;;;OAGG;IACH,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvC,qFAAqF;IACrF,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,aAAa,CAAC,MAAM,EAAE;QACpB,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;KAChD,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC,CAAC;CACxC;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IAEvB;;;;OAIG;IACH,UAAU,CAAC,EAAE,eAAe,CAAC;IAE7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,sCAAsC;IACtC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAEnC;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,+CAA+C;AAC/C,MAAM,WAAW,mBAAmB;IAClC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,yBAAyB;IACzB,QAAQ,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAE7B;;;;;;;;;;;;;;;OAeG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAID;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GACvB,qBAAqB,GACrB;IAAE,UAAU,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,UAAU,EAAE,CAAA;CAAE,CAAC;AAErE,0DAA0D;AAC1D,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAE3F,+EAA+E;AAC/E,eAAO,MAAM,mBAAmB,EAAE,UAAU,EAAmE,CAAC;AAEhH;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAE9B;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,cAAc,GAAG,qBAAqB,GAAG,mBAAmB,CAAC;AAEzE,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,gBAAgB,EAAE,MAAM,CAAC;IAEzB,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;;;OAOG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C,+DAA+D;IAC/D,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC,+CAA+C;IAC/C,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,wDAAwD;AACxD,MAAM,WAAW,uBAAuB;IACtC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IAEvB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IAEjB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,0DAA0D;AAC1D,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,sDAAsD;AACtD,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5C;AAED,uDAAuD;AACvD,MAAM,WAAW,sBAAsB;IACrC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,uDAAuD;IACvD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/C,oBAAoB;IACpB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB;AAID,gEAAgE;AAChE,eAAO,MAAM,yBAAyB,2BAA2B,CAAC;AAElE,yEAAyE;AACzE,eAAO,MAAM,qBAAqB,UAAgC,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,oDAAoD;;IAGpD,+CAA+C;;IAG/C,4DAA4D;;IAG5D,yDAAyD;;IAGzD;;;;OAIG;;IAGH;;;OAGG;;IAGH;;;;OAIG;;IAGH;;;;;;OAMG;;IAGH;;;;;;OAMG;;IAGH;;;OAGG;;IAGH;;;;;;;OAOG;;CAEK,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wallet-connect-client.d.ts","sourceRoot":"","sources":["../../src/wallet-connect-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAsB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACxG,OAAO,KAAK,EAAyB,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAQhF;;;;;;GAMG;AACH,MAAM,MAAM,0BAA0B,GAAG;IACvC,6EAA6E;IAC7E,WAAW,EAAE,MAAM,CAAC;IAEpB,sFAAsF;IACtF,gBAAgB,EAAE,MAAM,CAAC;IAEzB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;;OAIG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C;;;;;OAKG;IACH,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC;;;;;OAKG;IACH,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACpC,CAAC;AAEF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG;IACtC,+DAA+D;IAC/D,UAAU,EAAE,qBAAqB,CAAC;IAElC,uDAAuD;IACvD,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B,CAAC;AAEF;;;GAGG;AACH,iBAAe,UAAU,CAAC,EACxB,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,gBAAgB,EAChB,WAAW,GACZ,EAAE,0BAA0B,GAAG,OAAO,CAAC;IACtC,cAAc,EAAE,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IACvD,mBAAmB,EAAE,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;IACjE,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,CAAC,EAAE,oBAAoB,CAAC,wBAAwB,CAAC,CAAC;IACxE,mBAAmB,CAAC,EAAE,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;IAClE,2BAA2B,CAAC,EAAE,oBAAoB,CAAC,6BAA6B,CAAC,CAAC;IAClF,kBAAkB,CAAC,EAAE,oBAAoB,CAAC,oBAAoB,CAAC,CAAC;CACjE,GAAG,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"wallet-connect-client.d.ts","sourceRoot":"","sources":["../../src/wallet-connect-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAsB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACxG,OAAO,KAAK,EAAyB,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAQhF;;;;;;GAMG;AACH,MAAM,MAAM,0BAA0B,GAAG;IACvC,6EAA6E;IAC7E,WAAW,EAAE,MAAM,CAAC;IAEpB,sFAAsF;IACtF,gBAAgB,EAAE,MAAM,CAAC;IAEzB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;;OAIG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C;;;;;OAKG;IACH,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC;;;;;OAKG;IACH,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACpC,CAAC;AAEF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG;IACtC,+DAA+D;IAC/D,UAAU,EAAE,qBAAqB,CAAC;IAElC,uDAAuD;IACvD,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B,CAAC;AAEF;;;GAGG;AACH,iBAAe,UAAU,CAAC,EACxB,WAAW,EACX,gBAAgB,EAChB,SAAS,EACT,kBAAkB,EAClB,gBAAgB,EAChB,WAAW,GACZ,EAAE,0BAA0B,GAAG,OAAO,CAAC;IACtC,cAAc,EAAE,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;IACvD,mBAAmB,EAAE,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;IACjE,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,CAAC,EAAE,oBAAoB,CAAC,wBAAwB,CAAC,CAAC;IACxE,mBAAmB,CAAC,EAAE,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;IAClE,2BAA2B,CAAC,EAAE,oBAAoB,CAAC,6BAA6B,CAAC,CAAC;IAClF,kBAAkB,CAAC,EAAE,oBAAoB,CAAC,oBAAoB,CAAC,CAAC;CACjE,GAAG,SAAS,CAAC,CA6Gb;AAED;;;;;;;GAOG;AACH,iBAAS,kCAAkC,CAAC,EAAE,UAAU,EAAE,WAAW,EAAE,EAAE,yBAAyB,GAAG,wBAAwB,CAsE5H;AAED,eAAO,MAAM,aAAa;;;CAAqD,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@enbox/auth",
|
|
3
|
-
"version": "0.6.
|
|
3
|
+
"version": "0.6.33",
|
|
4
4
|
"description": "Headless authentication and identity management SDK for Enbox",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/esm/index.js",
|
|
@@ -37,6 +37,10 @@
|
|
|
37
37
|
".": {
|
|
38
38
|
"types": "./dist/types/index.d.ts",
|
|
39
39
|
"import": "./dist/esm/index.js"
|
|
40
|
+
},
|
|
41
|
+
"./auth-manager": {
|
|
42
|
+
"types": "./dist/types/auth-manager.d.ts",
|
|
43
|
+
"import": "./dist/esm/auth-manager.js"
|
|
40
44
|
}
|
|
41
45
|
},
|
|
42
46
|
"keywords": [
|
|
@@ -56,12 +60,12 @@
|
|
|
56
60
|
"bun": ">=1.0.0"
|
|
57
61
|
},
|
|
58
62
|
"dependencies": {
|
|
59
|
-
"@enbox/agent": "0.
|
|
60
|
-
"@enbox/common": "0.1.
|
|
61
|
-
"@enbox/crypto": "0.1.
|
|
62
|
-
"@enbox/dids": "0.1.
|
|
63
|
-
"@enbox/dwn-clients": "0.
|
|
64
|
-
"@enbox/dwn-sdk-js": "0.3.
|
|
63
|
+
"@enbox/agent": "0.7.1",
|
|
64
|
+
"@enbox/common": "0.1.1",
|
|
65
|
+
"@enbox/crypto": "0.1.1",
|
|
66
|
+
"@enbox/dids": "0.1.1",
|
|
67
|
+
"@enbox/dwn-clients": "0.4.1",
|
|
68
|
+
"@enbox/dwn-sdk-js": "0.3.6",
|
|
65
69
|
"level": "8.0.1"
|
|
66
70
|
},
|
|
67
71
|
"devDependencies": {
|
package/src/auth-manager.ts
CHANGED
|
@@ -3,10 +3,19 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Replaces `Enbox.connect()` (formerly `Web5.connect()`) with a composable,
|
|
5
5
|
* multi-identity-aware auth system that works in both browser and CLI environments.
|
|
6
|
+
*
|
|
7
|
+
* NOTE: this file is also exposed as the `@enbox/auth/auth-manager` subpath
|
|
8
|
+
* export so `@enbox/api` can import the AuthManager class without pulling in
|
|
9
|
+
* the full barrel. The subpath is **internal to the monorepo** — external
|
|
10
|
+
* consumers should import from `@enbox/auth` (or `@enbox/browser`) instead;
|
|
11
|
+
* the subpath's file layout is not part of any stability guarantee.
|
|
12
|
+
*
|
|
13
|
+
* @internal
|
|
6
14
|
* @module
|
|
7
15
|
*/
|
|
8
16
|
|
|
9
|
-
import type {
|
|
17
|
+
import type { RecordsWriteMessage } from '@enbox/dwn-sdk-js';
|
|
18
|
+
import type { AgentSessionIdentity, BearerIdentity, DwnDataEncodedRecordsWriteMessage, HdIdentityVault, PortableIdentity } from '@enbox/agent';
|
|
10
19
|
|
|
11
20
|
import type { FlowContext } from './connect/lifecycle.js';
|
|
12
21
|
import type { PasswordProvider } from './password-provider.js';
|
|
@@ -20,7 +29,6 @@ import type {
|
|
|
20
29
|
DisconnectOptions,
|
|
21
30
|
HandlerConnectOptions,
|
|
22
31
|
HeadlessConnectOptions,
|
|
23
|
-
IdentityInfo,
|
|
24
32
|
ImportFromPhraseOptions,
|
|
25
33
|
ImportFromPortableOptions,
|
|
26
34
|
LocalConnectOptions,
|
|
@@ -241,12 +249,14 @@ export class AuthManager {
|
|
|
241
249
|
const restored = await restoreSession(this._flowContext());
|
|
242
250
|
if (restored) { return restored; }
|
|
243
251
|
|
|
244
|
-
// 2. Route to the appropriate flow.
|
|
252
|
+
// 2. Route to the appropriate flow. `_isLocalConnect` is a type guard
|
|
253
|
+
// so the two branches receive correctly narrowed `options` types
|
|
254
|
+
// without casts.
|
|
245
255
|
if (this._isLocalConnect(options)) {
|
|
246
|
-
return localConnect(this._flowContext(), options
|
|
256
|
+
return localConnect(this._flowContext(), options);
|
|
247
257
|
}
|
|
248
258
|
|
|
249
|
-
return this._handlerConnect(options
|
|
259
|
+
return this._handlerConnect(options);
|
|
250
260
|
});
|
|
251
261
|
}
|
|
252
262
|
|
|
@@ -305,6 +315,7 @@ export class AuthManager {
|
|
|
305
315
|
* This replaces the manual `previouslyConnected` localStorage pattern.
|
|
306
316
|
*/
|
|
307
317
|
async restoreSession(options?: RestoreSessionOptions): Promise<AuthSession | undefined> {
|
|
318
|
+
this._guardShutdown();
|
|
308
319
|
this._guardConcurrency();
|
|
309
320
|
this._isConnecting = true;
|
|
310
321
|
|
|
@@ -345,6 +356,7 @@ export class AuthManager {
|
|
|
345
356
|
* ```
|
|
346
357
|
*/
|
|
347
358
|
async connectHeadless(options?: HeadlessConnectOptions): Promise<AuthSession> {
|
|
359
|
+
this._guardShutdown();
|
|
348
360
|
let password = options?.password ?? this._defaultPassword;
|
|
349
361
|
const isFirstLaunch = await this._userAgent.firstLaunch();
|
|
350
362
|
|
|
@@ -385,7 +397,7 @@ export class AuthManager {
|
|
|
385
397
|
|
|
386
398
|
const { connectedDid, delegateDid } = resolveIdentityDids(identity);
|
|
387
399
|
|
|
388
|
-
const identityInfo:
|
|
400
|
+
const identityInfo: AgentSessionIdentity = {
|
|
389
401
|
didUri : connectedDid,
|
|
390
402
|
name : identity.metadata.name,
|
|
391
403
|
connectedDid : identity.metadata.connectedDid,
|
|
@@ -496,17 +508,17 @@ export class AuthManager {
|
|
|
496
508
|
messageType : DwnInterface.RecordsRead,
|
|
497
509
|
messageParams : { filter: { recordId: grantId } },
|
|
498
510
|
});
|
|
499
|
-
if (readReply.status.code !== 200 || !readReply.entry) { continue; }
|
|
511
|
+
if (readReply.status.code !== 200 || !readReply.entry?.recordsWrite) { continue; }
|
|
500
512
|
// Reconstruct DwnDataEncodedRecordsWriteMessage: RecordsRead returns
|
|
501
513
|
// data as a stream, but PermissionGrant.parse needs encodedData.
|
|
502
514
|
const grantDataBytes = readReply.entry.data
|
|
503
515
|
? await DataStream.toBytes(readReply.entry.data)
|
|
504
516
|
: new Uint8Array(0);
|
|
505
|
-
const grantMsgWithData = {
|
|
517
|
+
const grantMsgWithData: DwnDataEncodedRecordsWriteMessage = {
|
|
506
518
|
...readReply.entry.recordsWrite,
|
|
507
519
|
encodedData: Convert.uint8Array(grantDataBytes).toBase64Url(),
|
|
508
520
|
};
|
|
509
|
-
const grant = DwnPermissionGrant.parse(grantMsgWithData
|
|
521
|
+
const grant = DwnPermissionGrant.parse(grantMsgWithData);
|
|
510
522
|
|
|
511
523
|
// Self-healing: ensure the revocation grant is on the remote
|
|
512
524
|
// DWN. The best-effort fanout at connect time may have failed.
|
|
@@ -519,7 +531,19 @@ export class AuthManager {
|
|
|
519
531
|
messageParams : { filter: { recordId: revocationGrantId } },
|
|
520
532
|
});
|
|
521
533
|
if (revGrantReply.status.code === 200 && revGrantReply.entry?.recordsWrite) {
|
|
522
|
-
|
|
534
|
+
// Strip `encodedData` from the wire payload — the
|
|
535
|
+
// bytes are sent via `data` (Blob) on the next line.
|
|
536
|
+
// `RecordsWriteMessage` doesn't declare `encodedData`,
|
|
537
|
+
// but the wire-format reply may include it; widen the
|
|
538
|
+
// local type to acknowledge that without `any`.
|
|
539
|
+
// NOSONAR S4325 false positive: the cast is required to
|
|
540
|
+
// typecheck the destructuring of the undeclared
|
|
541
|
+
// optional `encodedData` property; removing it fails
|
|
542
|
+
// TS2339. Sonar reads the intersection-with-optional-
|
|
543
|
+
// field as a no-op widening, which it isn't here.
|
|
544
|
+
type RecordsWriteWireMessage = RecordsWriteMessage & { encodedData?: string };
|
|
545
|
+
const { encodedData: _encoded, ...revGrantRaw } =
|
|
546
|
+
revGrantReply.entry.recordsWrite as RecordsWriteWireMessage; // NOSONAR
|
|
523
547
|
const revGrantData = revGrantReply.entry.data
|
|
524
548
|
? new Blob([await DataStream.toBytes(revGrantReply.entry.data) as BlobPart])
|
|
525
549
|
: undefined;
|
|
@@ -552,7 +576,7 @@ export class AuthManager {
|
|
|
552
576
|
// delivery, the owner-side authority source won't see it.
|
|
553
577
|
let remoteDelivered = false;
|
|
554
578
|
if (revocationMessage && remoteDwnUrls.length > 0) {
|
|
555
|
-
const { encodedData, ...rawMessage } = revocationMessage
|
|
579
|
+
const { encodedData, ...rawMessage } = revocationMessage;
|
|
556
580
|
const data = encodedData
|
|
557
581
|
? new Blob([Convert.base64Url(encodedData).toUint8Array() as BlobPart])
|
|
558
582
|
: undefined;
|
|
@@ -783,7 +807,7 @@ export class AuthManager {
|
|
|
783
807
|
* Each identity has a DID URI, name, and optional connected DID
|
|
784
808
|
* (for wallet-connected/delegated identities).
|
|
785
809
|
*/
|
|
786
|
-
async listIdentities(): Promise<
|
|
810
|
+
async listIdentities(): Promise<AgentSessionIdentity[]> {
|
|
787
811
|
const identities = await this._userAgent.identity.list();
|
|
788
812
|
return identities.map((identity: BearerIdentity) => ({
|
|
789
813
|
didUri : identity.did.uri,
|
|
@@ -815,7 +839,7 @@ export class AuthManager {
|
|
|
815
839
|
await this._storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
|
|
816
840
|
await this._storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
|
|
817
841
|
|
|
818
|
-
const identityInfo:
|
|
842
|
+
const identityInfo: AgentSessionIdentity = {
|
|
819
843
|
didUri : connectedDid,
|
|
820
844
|
name : identity.metadata.name,
|
|
821
845
|
connectedDid : identity.metadata.connectedDid,
|
|
@@ -954,45 +978,37 @@ export class AuthManager {
|
|
|
954
978
|
/**
|
|
955
979
|
* Determine whether the given options indicate a local connect flow.
|
|
956
980
|
*
|
|
957
|
-
*
|
|
958
|
-
*
|
|
959
|
-
*
|
|
960
|
-
*
|
|
981
|
+
* Handler intent is asserted by the presence of a non-empty `protocols`
|
|
982
|
+
* array OR a non-null `connectHandler`; everything else (including the
|
|
983
|
+
* no-options case, an empty `protocols: []`, and `null` values from JS
|
|
984
|
+
* callers) routes to local. An empty `protocols` array is intentionally
|
|
985
|
+
* NOT a handler signal — it carries no permission scopes for the handler
|
|
986
|
+
* to authorize, so treating it as handler-flow would produce a zero-grant
|
|
987
|
+
* "connected" session indistinguishable from a denied connect.
|
|
988
|
+
*
|
|
989
|
+
* Acts as a TypeScript type guard: a `true` return narrows `options` to
|
|
990
|
+
* `LocalConnectOptions | undefined` at call sites, so the routing in
|
|
991
|
+
* {@link AuthManager.connect} can dispatch without unsafe casts.
|
|
961
992
|
*/
|
|
962
|
-
private _isLocalConnect(options?: ConnectOptions):
|
|
963
|
-
|
|
964
|
-
|
|
965
|
-
|
|
966
|
-
const hasLocalSignals = (
|
|
967
|
-
o.password !== undefined ||
|
|
968
|
-
o.createIdentity !== undefined ||
|
|
969
|
-
o.recoveryPhrase !== undefined ||
|
|
970
|
-
o.dwnEndpoints !== undefined ||
|
|
971
|
-
o.metadata !== undefined
|
|
972
|
-
);
|
|
973
|
-
if (hasLocalSignals) { return true; }
|
|
974
|
-
|
|
975
|
-
// If any handler-connect signals are present, use the handler flow.
|
|
976
|
-
const hasHandlerSignals = (
|
|
977
|
-
o.protocols !== undefined ||
|
|
978
|
-
o.connectHandler !== undefined
|
|
979
|
-
);
|
|
980
|
-
if (hasHandlerSignals) { return false; }
|
|
981
|
-
|
|
982
|
-
// No explicit signals → default to local connect.
|
|
983
|
-
// Callers that want handler-based connect must provide protocols
|
|
984
|
-
// or a connectHandler.
|
|
993
|
+
private _isLocalConnect(options?: ConnectOptions): options is LocalConnectOptions | undefined {
|
|
994
|
+
if (options === undefined || options === null) { return true; }
|
|
995
|
+
if ('protocols' in options && Array.isArray(options.protocols) && options.protocols.length > 0) { return false; }
|
|
996
|
+
if ('connectHandler' in options && options.connectHandler !== undefined && options.connectHandler !== null) { return false; }
|
|
985
997
|
return true;
|
|
986
998
|
}
|
|
987
999
|
|
|
988
1000
|
/**
|
|
989
1001
|
* Run a handler-based (delegated) connect flow.
|
|
990
1002
|
*
|
|
991
|
-
*
|
|
992
|
-
*
|
|
993
|
-
*
|
|
994
|
-
*
|
|
995
|
-
*
|
|
1003
|
+
* Handler resolution happens BEFORE any vault I/O so a misconfigured call
|
|
1004
|
+
* (no handler reachable) fails fast without mutating on-disk state.
|
|
1005
|
+
*
|
|
1006
|
+
* 1. Resolve the connect handler (fast-fail when none is reachable).
|
|
1007
|
+
* 2. Initialize the vault (agent-only, no identity).
|
|
1008
|
+
* 3. Normalize protocol permission requests.
|
|
1009
|
+
* 4. Delegate to the connect handler for credential acquisition.
|
|
1010
|
+
* 5. Import the delegate DID, process grants, set up sync.
|
|
1011
|
+
* 6. Finalize and return the AuthSession.
|
|
996
1012
|
*/
|
|
997
1013
|
private async _handlerConnect(
|
|
998
1014
|
options?: HandlerConnectOptions,
|
|
@@ -1001,15 +1017,8 @@ export class AuthManager {
|
|
|
1001
1017
|
const { userAgent, emitter, storage } = ctx;
|
|
1002
1018
|
const sync = options?.sync ?? ctx.defaultSync;
|
|
1003
1019
|
|
|
1004
|
-
// 1.
|
|
1005
|
-
|
|
1006
|
-
const password = await resolvePassword(ctx, undefined, isFirstLaunch);
|
|
1007
|
-
await ensureVaultReady({ userAgent, emitter, password, isFirstLaunch });
|
|
1008
|
-
|
|
1009
|
-
// 2. Normalize protocol requests.
|
|
1010
|
-
const permissionRequests = normalizeProtocolRequests(options?.protocols);
|
|
1011
|
-
|
|
1012
|
-
// 3. Resolve the handler.
|
|
1020
|
+
// 1. Resolve the handler FIRST. Anything past this point may mutate the
|
|
1021
|
+
// vault on disk, so misconfiguration must fail before that happens.
|
|
1013
1022
|
const handler = options?.connectHandler ?? this._connectHandler;
|
|
1014
1023
|
if (!handler) {
|
|
1015
1024
|
throw new Error(
|
|
@@ -1019,6 +1028,16 @@ export class AuthManager {
|
|
|
1019
1028
|
);
|
|
1020
1029
|
}
|
|
1021
1030
|
|
|
1031
|
+
// 2. Initialize vault (agent-only, no identity). The per-call password
|
|
1032
|
+
// (when supplied via `HandlerConnectOptions.password`) wins over the
|
|
1033
|
+
// manager default, matching the behavior of the local-connect flow.
|
|
1034
|
+
const isFirstLaunch = await userAgent.firstLaunch();
|
|
1035
|
+
const password = await resolvePassword(ctx, options?.password, isFirstLaunch);
|
|
1036
|
+
await ensureVaultReady({ userAgent, emitter, password, isFirstLaunch });
|
|
1037
|
+
|
|
1038
|
+
// 3. Normalize protocol requests.
|
|
1039
|
+
const permissionRequests = normalizeProtocolRequests(options?.protocols);
|
|
1040
|
+
|
|
1022
1041
|
// 4. Delegate to the handler.
|
|
1023
1042
|
const result = await handler.requestAccess({ permissionRequests });
|
|
1024
1043
|
if (!result) {
|
|
@@ -1033,14 +1052,22 @@ export class AuthManager {
|
|
|
1033
1052
|
const identity = await importDelegateAndSetupSync({
|
|
1034
1053
|
userAgent, delegatePortableDid, connectedDid, delegateGrants,
|
|
1035
1054
|
delegateDecryptionKeys, delegateContextKeys, delegateMultiPartyProtocols,
|
|
1036
|
-
sessionRevocations,
|
|
1037
1055
|
flowName: 'Connect',
|
|
1038
1056
|
});
|
|
1039
1057
|
|
|
1040
|
-
// 6. Finalize session.
|
|
1058
|
+
// 6. Finalize session. Pass the transient delegate state explicitly
|
|
1059
|
+
// so `persistOrClearDelegateSecrets` doesn't need to read it back
|
|
1060
|
+
// off the identity (which was the old `(identity as any)._foo`
|
|
1061
|
+
// smuggling pattern).
|
|
1041
1062
|
return finalizeDelegateSession({
|
|
1042
1063
|
userAgent, emitter, storage, identity,
|
|
1043
|
-
connectedDid, delegateDid: delegatePortableDid.uri, sync,
|
|
1064
|
+
connectedDid, delegateDid : delegatePortableDid.uri, sync,
|
|
1065
|
+
delegateState : {
|
|
1066
|
+
delegateDecryptionKeys,
|
|
1067
|
+
delegateContextKeys,
|
|
1068
|
+
delegateMultiPartyProtocols,
|
|
1069
|
+
sessionRevocations,
|
|
1070
|
+
},
|
|
1044
1071
|
});
|
|
1045
1072
|
}
|
|
1046
1073
|
|
|
@@ -1070,8 +1097,13 @@ export class AuthManager {
|
|
|
1070
1097
|
* Consolidates the duplicated concurrency guard, `_isConnecting` flag management,
|
|
1071
1098
|
* session assignment, and state transition across `connect()`, `walletConnect()`,
|
|
1072
1099
|
* `importFromPhrase()`, and `importFromPortable()`.
|
|
1100
|
+
*
|
|
1101
|
+
* Also short-circuits if the manager has already been shut down — using
|
|
1102
|
+
* a closed manager would otherwise fail deep inside sync/storage with an
|
|
1103
|
+
* unhelpful error.
|
|
1073
1104
|
*/
|
|
1074
1105
|
private async _withConnect(fn: () => Promise<AuthSession>): Promise<AuthSession> {
|
|
1106
|
+
this._guardShutdown();
|
|
1075
1107
|
this._guardConcurrency();
|
|
1076
1108
|
this._isConnecting = true;
|
|
1077
1109
|
|
|
@@ -1186,4 +1218,13 @@ export class AuthManager {
|
|
|
1186
1218
|
);
|
|
1187
1219
|
}
|
|
1188
1220
|
}
|
|
1221
|
+
|
|
1222
|
+
private _guardShutdown(): void {
|
|
1223
|
+
if (this._isShutDown) {
|
|
1224
|
+
throw new Error(
|
|
1225
|
+
'[@enbox/auth] AuthManager has been shut down and cannot be reused. ' +
|
|
1226
|
+
'Create a new instance via AuthManager.create().'
|
|
1227
|
+
);
|
|
1228
|
+
}
|
|
1229
|
+
}
|
|
1189
1230
|
}
|
package/src/connect/lifecycle.ts
CHANGED
|
@@ -15,11 +15,11 @@
|
|
|
15
15
|
*/
|
|
16
16
|
|
|
17
17
|
import type { PortableDid } from '@enbox/dids';
|
|
18
|
-
import type { BearerIdentity, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, EnboxUserAgent } from '@enbox/agent';
|
|
18
|
+
import type { AgentSessionIdentity, BearerIdentity, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, EnboxUserAgent } from '@enbox/agent';
|
|
19
19
|
|
|
20
20
|
import type { AuthEventEmitter } from '../events.js';
|
|
21
21
|
import type { PasswordProvider } from '../password-provider.js';
|
|
22
|
-
import type {
|
|
22
|
+
import type { RegistrationOptions, StorageAdapter, SyncOption } from '../types.js';
|
|
23
23
|
|
|
24
24
|
import { Convert } from '@enbox/common';
|
|
25
25
|
import type { GenericMessage } from '@enbox/dwn-sdk-js';
|
|
@@ -91,11 +91,15 @@ export async function resolvePassword(
|
|
|
91
91
|
|
|
92
92
|
password ??= INSECURE_DEFAULT_PASSWORD;
|
|
93
93
|
|
|
94
|
-
|
|
94
|
+
// Two cases reach this branch: no password was supplied at any level
|
|
95
|
+
// (and we fell through to the insecure default), or the caller explicitly
|
|
96
|
+
// supplied an empty string. Both produce a vault with effectively zero
|
|
97
|
+
// password protection — surface a single warning in both cases.
|
|
98
|
+
if (password === INSECURE_DEFAULT_PASSWORD || password.length === 0) {
|
|
95
99
|
console.warn(
|
|
96
|
-
'[@enbox/auth] SECURITY WARNING: No password set
|
|
97
|
-
'
|
|
98
|
-
'
|
|
100
|
+
'[@enbox/auth] SECURITY WARNING: No password set (or an empty string was supplied). ' +
|
|
101
|
+
'Using an insecure default; this leaves the identity vault unprotected. ' +
|
|
102
|
+
'Set a non-empty password via AuthManager.create({ password }) or connect({ password }).'
|
|
99
103
|
);
|
|
100
104
|
}
|
|
101
105
|
|
|
@@ -270,9 +274,11 @@ export function deriveSyncScopeFromGrants(grants: DwnPermissionGrant[]): 'all' |
|
|
|
270
274
|
const protocols = new Set<string>();
|
|
271
275
|
|
|
272
276
|
for (const grant of grants) {
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
//
|
|
277
|
+
// Only Messages.Read grants authorize sync. The discriminated union
|
|
278
|
+
// (`PermissionScope = Messages | Protocols | Records`) narrows
|
|
279
|
+
// `scope.protocol` to `string | undefined` after the interface +
|
|
280
|
+
// method checks — no cast needed.
|
|
281
|
+
const { scope } = grant;
|
|
276
282
|
if (scope.interface !== 'Messages' || scope.method !== 'Read') {
|
|
277
283
|
continue;
|
|
278
284
|
}
|
|
@@ -282,7 +288,7 @@ export function deriveSyncScopeFromGrants(grants: DwnPermissionGrant[]): 'all' |
|
|
|
282
288
|
continue;
|
|
283
289
|
}
|
|
284
290
|
|
|
285
|
-
const protocol = scope.protocol
|
|
291
|
+
const protocol = scope.protocol;
|
|
286
292
|
if (protocol === undefined) {
|
|
287
293
|
// Unrestricted Messages.Read — delegate can sync all protocols.
|
|
288
294
|
return 'all';
|
|
@@ -331,10 +337,15 @@ export async function deriveActiveSyncScope(
|
|
|
331
337
|
if (revocationResponse.reply.status.code !== 200) { return []; }
|
|
332
338
|
|
|
333
339
|
// Build the set of revoked grant IDs from revocation parent context.
|
|
340
|
+
// `descriptor.parentId` is the canonical location; the top-level
|
|
341
|
+
// `parentId` is a legacy/alternate-format fallback. Typed narrowly
|
|
342
|
+
// (no `any`) so additions to the shape land in the type system.
|
|
334
343
|
const revokedGrantIds = new Set<string>();
|
|
335
344
|
if (revocationResponse.reply.entries) {
|
|
336
345
|
for (const entry of revocationResponse.reply.entries as DwnDataEncodedRecordsWriteMessage[]) {
|
|
337
|
-
const parentId =
|
|
346
|
+
const parentId =
|
|
347
|
+
entry.descriptor.parentId
|
|
348
|
+
?? (entry as { parentId?: string }).parentId;
|
|
338
349
|
if (parentId) { revokedGrantIds.add(parentId); }
|
|
339
350
|
}
|
|
340
351
|
}
|
|
@@ -586,13 +597,12 @@ export async function importDelegateAndSetupSync(params: {
|
|
|
586
597
|
delegateDecryptionKeys?: DelegateDecryptionKey[];
|
|
587
598
|
delegateContextKeys?: DelegateContextKey[];
|
|
588
599
|
delegateMultiPartyProtocols?: string[];
|
|
589
|
-
sessionRevocations?: { grantId: string; revocationGrantId: string }[];
|
|
590
600
|
flowName: string;
|
|
591
601
|
}): Promise<BearerIdentity> {
|
|
592
602
|
const {
|
|
593
603
|
userAgent, delegatePortableDid, connectedDid, delegateGrants,
|
|
594
604
|
delegateDecryptionKeys, delegateContextKeys, delegateMultiPartyProtocols,
|
|
595
|
-
|
|
605
|
+
flowName,
|
|
596
606
|
} = params;
|
|
597
607
|
|
|
598
608
|
let identity: BearerIdentity | undefined;
|
|
@@ -683,20 +693,11 @@ export async function importDelegateAndSetupSync(params: {
|
|
|
683
693
|
// Doing a manual pull first would double the startup burst and can
|
|
684
694
|
// trigger rate limits on the remote DWN.
|
|
685
695
|
|
|
686
|
-
//
|
|
687
|
-
|
|
688
|
-
|
|
689
|
-
|
|
690
|
-
|
|
691
|
-
(identity as any)._delegateContextKeys = delegateContextKeys;
|
|
692
|
-
}
|
|
693
|
-
if (delegateMultiPartyProtocols && delegateMultiPartyProtocols.length > 0) {
|
|
694
|
-
(identity as any)._delegateMultiPartyProtocols = delegateMultiPartyProtocols;
|
|
695
|
-
}
|
|
696
|
-
if (sessionRevocations && sessionRevocations.length > 0) {
|
|
697
|
-
(identity as any)._sessionRevocations = sessionRevocations;
|
|
698
|
-
}
|
|
699
|
-
|
|
696
|
+
// Delegate protocol keys / multi-party state / revocation map are
|
|
697
|
+
// passed back to the caller explicitly via the return value so
|
|
698
|
+
// `finalizeDelegateSession` can persist them. (The previous flow
|
|
699
|
+
// smuggled them through `(identity as any)._foo`, which traded
|
|
700
|
+
// type safety for one fewer return value.)
|
|
700
701
|
return identity;
|
|
701
702
|
} catch (error: unknown) {
|
|
702
703
|
if (identity) {
|
|
@@ -720,6 +721,21 @@ export async function importDelegateAndSetupSync(params: {
|
|
|
720
721
|
|
|
721
722
|
// ─── finalizeDelegateSession ────────────────────────────────────
|
|
722
723
|
|
|
724
|
+
/**
|
|
725
|
+
* Transient state produced by a successful delegated connect flow that
|
|
726
|
+
* `finalizeDelegateSession` persists into the SecretStore + storage
|
|
727
|
+
* adapter. Passed explicitly through the call chain rather than
|
|
728
|
+
* smuggled via private fields on `BearerIdentity`.
|
|
729
|
+
*
|
|
730
|
+
* @internal
|
|
731
|
+
*/
|
|
732
|
+
export type DelegateSessionState = {
|
|
733
|
+
delegateDecryptionKeys?: DelegateDecryptionKey[];
|
|
734
|
+
delegateContextKeys?: DelegateContextKey[];
|
|
735
|
+
delegateMultiPartyProtocols?: string[];
|
|
736
|
+
sessionRevocations?: { grantId: string; revocationGrantId: string }[];
|
|
737
|
+
};
|
|
738
|
+
|
|
723
739
|
/**
|
|
724
740
|
* Build an `AuthSession` for a delegated connect flow (DWeb Connect or
|
|
725
741
|
* relay WalletConnect). Starts sync and persists delegate/connected DID
|
|
@@ -735,8 +751,12 @@ export async function finalizeDelegateSession(params: {
|
|
|
735
751
|
connectedDid: string;
|
|
736
752
|
delegateDid: string;
|
|
737
753
|
sync: SyncOption | undefined;
|
|
754
|
+
delegateState?: DelegateSessionState;
|
|
738
755
|
}): Promise<AuthSession> {
|
|
739
|
-
const {
|
|
756
|
+
const {
|
|
757
|
+
userAgent, emitter, storage, identity, connectedDid, delegateDid, sync,
|
|
758
|
+
delegateState = {},
|
|
759
|
+
} = params;
|
|
740
760
|
|
|
741
761
|
await startSyncIfEnabled(userAgent, sync);
|
|
742
762
|
|
|
@@ -752,7 +772,7 @@ export async function finalizeDelegateSession(params: {
|
|
|
752
772
|
// Persist or clear delegate keys/revocations. Clearing stale values
|
|
753
773
|
// from prior sessions prevents a reconnect with fewer capabilities
|
|
754
774
|
// from retaining old decryption material.
|
|
755
|
-
await persistOrClearDelegateSecrets(userAgent, storage,
|
|
775
|
+
await persistOrClearDelegateSecrets(userAgent, storage, extraStorageKeys, delegateState);
|
|
756
776
|
|
|
757
777
|
// Wire post-connect context key persistence: when the owner creates a
|
|
758
778
|
// new multi-party context, the agent injects the key into the delegate
|
|
@@ -837,8 +857,8 @@ export async function finalizeSession(params: {
|
|
|
837
857
|
await Promise.all(storageWrites);
|
|
838
858
|
|
|
839
859
|
// When identityName is undefined, no user identity exists (agent-only session).
|
|
840
|
-
// Build an
|
|
841
|
-
const identityInfo:
|
|
860
|
+
// Build an AgentSessionIdentity with the agent DID as a fallback.
|
|
861
|
+
const identityInfo: AgentSessionIdentity = {
|
|
842
862
|
didUri : connectedDid,
|
|
843
863
|
name : identityName ?? 'Agent',
|
|
844
864
|
connectedDid : identityConnectedDid,
|
|
@@ -869,11 +889,15 @@ export async function finalizeSession(params: {
|
|
|
869
889
|
async function persistOrClearDelegateSecrets(
|
|
870
890
|
userAgent: EnboxUserAgent,
|
|
871
891
|
storage: StorageAdapter,
|
|
872
|
-
identity: BearerIdentity,
|
|
873
892
|
extraStorageKeys: Record<string, string>,
|
|
893
|
+
delegateState: DelegateSessionState,
|
|
874
894
|
): Promise<void> {
|
|
875
|
-
const
|
|
876
|
-
|
|
895
|
+
const {
|
|
896
|
+
delegateDecryptionKeys,
|
|
897
|
+
delegateContextKeys,
|
|
898
|
+
delegateMultiPartyProtocols,
|
|
899
|
+
sessionRevocations,
|
|
900
|
+
} = delegateState;
|
|
877
901
|
|
|
878
902
|
// Persist or clear keys in the SecretStore + legacy StorageAdapter.
|
|
879
903
|
const secretWrites: Promise<void>[] = [];
|
|
@@ -895,14 +919,12 @@ async function persistOrClearDelegateSecrets(
|
|
|
895
919
|
try { await storage.remove(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS); } catch { /* best-effort */ }
|
|
896
920
|
}
|
|
897
921
|
|
|
898
|
-
const delegateMultiPartyProtocols = (identity as any)._delegateMultiPartyProtocols as string[] | undefined;
|
|
899
922
|
if (delegateMultiPartyProtocols?.length) {
|
|
900
923
|
extraStorageKeys[STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS] = JSON.stringify(delegateMultiPartyProtocols);
|
|
901
924
|
} else {
|
|
902
925
|
try { await storage.remove(STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS); } catch { /* best-effort */ }
|
|
903
926
|
}
|
|
904
927
|
|
|
905
|
-
const sessionRevocations = (identity as any)._sessionRevocations as { grantId: string; revocationGrantId: string }[] | undefined;
|
|
906
928
|
if (sessionRevocations?.length) {
|
|
907
929
|
extraStorageKeys[STORAGE_KEYS.SESSION_REVOCATIONS] = JSON.stringify(sessionRevocations);
|
|
908
930
|
} else {
|